Azure-docs: Add Key Forbidden

WARNING returned in the previous command (New-AzureRmKeyVault): "WARNING: Access policy is not set. No user or application have access permission to use this vault. This can happen if the vault was created by a service principal. Please use Set-AzKeyVaultAccessPolicy to set access policies."

The document mentions "For both protection models, the Azure platform needs to be granted access to request the cryptographic keys when the VM boots to decrypt the virtual disks." --> this is a bit light for a crucial step and should be elaborated (eg using the portal or powershell cmd)

WARNING returned in the previous command (New-AzureRmKeyVault): "WARNING: Access policy is not set. No user or application have access permission to use this vault. This can happen if the vault was created by a service principal. Please use Set-AzKeyVaultAccessPolicy to set access policies."

@woutervanranst Which credentials you used for login into Azure using the PowerShell?
It will be your user credentials or a service principal.
You can use Get-AzureRmContext to see the user.

You can also check the access policies for your key vault.
In Portal, Go to the key vault and in the left pan click on "access policies" under settings.

If your current logged in user or service principal don't have access, Then add them.

Try this out and let me know.

I used the shell in the portal (and the account that would go with it)

Indeed, I got around to it through the portal and working as expected, i just think this is an essential step that is missing

Everything went well when i followed the document. But i did not get the warning for the command "New-AzureRmKeyVault".
Once the vault is created i looked at the vault information using "Get-AzureRmKeyVault", I was able to see my name under access policies with full access.
Because of that i was able to use those keys.
Also that key vault should be enabled for Disk encryption under Advanced access policies.

If you have used cloud shell, Then it should have used your credentials only.
If you have time, Can you create a new keyvault and describe it. Then review the access polices and let me know.

@woutervanranst Any update?

This is the entire session below from scratch, with the context info at the top, repro'ing the issue at the end

Welcome to Azure Cloud Shell

Type "az" to use Azure CLI 2.0
Type "help" to learn about Cloud Shell
VERBOSE: Authenticating to Azure ...

PS Azure:> Get-AzureRmContext

Name Account SubscriptionName Environment TenantId
---- ------- ---------------- ----------- --------
Microsoft Azure Internal Consumption ... MSI@50342 Microsoft Azure Inter... AzureCloud 72f988bf-86f1-41af-9...

Azure:/
PS Azure:>

Azure:/
PS Azure:> $rgName = "myResourceGroup"
Azure:/
PS Azure:> $location = "East US"
Azure:/
PS Azure:>
Azure:/

ProviderNamespace : Microsoft.KeyVault
RegistrationState : Registered
ResourceTypes : {vaults, vaults/secrets, vaults/accessPolicies, operations...}
Locations : {North Central US, East US, North Europe, West Europe...}

Azure:/

ResourceGroupName : myResourceGroup
Location : eastus
Tags :
ResourceId : /subscriptions/e9cdd77e-46ed-446f-a8d2-eed62887fded/resourceGroups/myResourceGroup

Azure:/
PS Azure:> $keyVaultName = "myKeyVault$(Get-Random)"
Azure:/
PS Azure:> New-AzureRmKeyVault -Location $location `

-ResourceGroupName $rgName `
-VaultName $keyVaultName `
-EnabledForDiskEncryption

Vault Name : myKeyVault1450899106
Resource Group Name : myResourceGroup
Location : East US
Resource ID : /subscriptions/e9cdd77e-46ed-446f-a8d2-eed62887fded/resourceGroups/myResourceGroup/providers/Microsoft.
KeyVault/vaults/myKeyVault1450899106
Vault URI : https://mykeyvault1450899106.vault.azure.net/
Tenant ID : 72f988bf-86f1-41af-91ab-2d7cd011db47
SKU : Standard
Enabled For Deployment? : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : True
Soft Delete Enabled? :
Access Policies :
Network Rule Set :
Default Action : Allow
Bypass : AzureServices
Virtual Network Rules :

Tags :

WARNING: Access policy is not set. No user or application have access permission to use this vault. This can happen if the vault was created by a service principal. Please use Set-AzKeyVaultAccessPolicy to set access policies.

Azure:/
PS Azure:> Add-AzureKeyVaultKey -VaultName $keyVaultName `

-Name "myKey" `
-Destination "Software"

Add-AzureKeyVaultKey : Operation returned an invalid status code 'Forbidden'
At line:1 char:1

• Add-AzureKeyVaultKey -VaultName $keyVaultName `
• ~~~~~~~~~~~
• CategoryInfo : CloseError: (:) [Add-AzKeyVaultKey], KeyVaultErrorException
• FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultKey

Azure:/
PS Azure:>

@woutervanranst I also tried the tutorial but I am not getting forbidden error. I am not sure why you are seeing it. One extra step I took, other than from the tutorial was the following, shared by @jakaruna-MSFT :
Can you please confirm that you did the following?

Once the vault is created i looked at the vault information using "Get-AzureRmKeyVault", I was able to see my name under access policies with full access.
Because of that i was able to use those keys.

You can also check the access policies for your key vault.
In Portal, Go to the key vault and in the left pan click on "access policies" under settings.
If your current logged in user or service principal don't have access, Then add them.
Also that key vault should be enabled for Disk encryption under Advanced access policies.

@woutervanranst Please share the doc-improvement suggestions when you are ready and please tag me in a comment to reopen the issue and we will gladly continue the discussion.

I confirm the reported problem. You need to add the access policy for the current user.